InfoSec. Or, Why You Don’t Leave Your Car Keys in the Car

October 13, 2009

Wireless connectivity has become ubiquitous as have people using laptops as their main computer.

I would never do either by choice.

It’s a fundamental maxim of security that if more than one person knows a secret then it isn’t a secret. Even if just one person knows then they could potentially be socially engineered into giving out the apparent secret information.

In the IT world this can have far more serious consequences than it could if a burglar were simply to break into your home. Break into the right system where proper controls aren’t in play and you can wreak a special kind of havoc were that your desire.

As I post this I’m using someone else’s internet connection to do so. I’m also doing my usual of listening to Radio 5Live as background noise (in this instance, streamed via the iPlayer) – in this instance by streaming over the net connection I have. Yet I’m whoring someone else’s internet connection.

How am I doing that? Easy.

When my netbook came through I had already packed up my home and moved everything into storage bar anything I didn’t care about. One of those things was my cable modem – upon calling up Virgin Media to cancel my subscription (I was getting a very good deal on a 20Mbps connection) I was told that they didn’t want the modem back even though it is, in principle, something that is merely leased.

As a result, it is still sitting here with me in the flat and is still wired up. Except there is a problem…

When I packed everything up I also grabbed the Cat5 patch cable which had been connecting my modem to my router. It was done more as a part of clearing everything up.

The problem arose when I returned to my flat for the last few days (I get kicked out tomorrow) and realised I didn’t have a workable net connection.

Had I thought about it in advance, though my thoughts were elsewhere, I would have retained the patch cable upon my person and simply used the 20Mbit connection I had (I never got around to upgrading it to 50Mbit) and hooked my netbook up that way. Unfortunately I didn’t do that.

It is though a netbook. It’s designed to take advantage of the ubiquity of wifi/wireless net connections. And everyone and their dog seems to like not having wires around.

When 802.11 first came into play most people who didn’t understand the concept of information security would have routers set up as access points with no form of security at all. This led to the phenomenon termed, at the time, as ‘war-chalking’ whereby people would drive around with the appropriate kit and identify spots where you could access an unsecured wireless internet connection.

As broadband internet access advanced and people increasingly used laptops (I might post at some point about why the netbook was an inevitable consequence of why people use computers, though it may be some time), wireless routers and connections began to proliferate.

This, of course, led to those who knew what they were doing taking advantage of the net connections of those who didn’t and also raised a host of legal issues. How do you find out who has been downloading kiddie porn when it’s been done via an unsecured wireless internet connection? I’m not suggesting this was a common occurrence or that it even occurred but it was a situation that existed.

As a result, ISPs started providing their routers pre-configured to at least use the most basic of security (in the form of WEP) so that the service couldn’t be instantly hijacked and they also provided software discs which needed to be use to configure a Windows-based PC with no user intervention (support for Macs does occur but Linux seems to be outwith their stream of awareness) – this incidentally leads me to believe that all wireless routers from the likes of Sky are configured in the same way which means the WEP keys they use will work on any other router/modem issued by them… But ISPs these days at least take steps to stop hijacking of a connection.

So, what does this have to do with what I premised this post on?

Simple. I’m whoring someone else’s internet connection using a wireless connection over 802.11b/g to make this post.

When I powered up my netbook in order to do some non net-related work I decided to do a quick check to see what wireless networks it could connect to. And I happened to find a completely unsecured network that I could connect to. So I did.

Operating on the assumption that anyone who has an unsecured router probably hasn’t changed the default passwords to administer the router I grabbed the IP  for the default gateway for my now live connection (which is always the router) and fired up Firefox and logged into it via HTTP – the various bits of info and error pages told me what router it was (a Buffalo AirStation) and a quick google gave me the default user ID and password.

I was right about this info and able to log into the router.

What I found from reviewing the logs on the router was that whoever’s internet connection I’m whoring for the moment has (at least) a Mac, a PC with a cute hostname and a Nintendo DS. They also have another computer which is hardwired to the router if I recall correctly.

Were I so interested then I likely could have remoted onto any of those computers as they likely have them configured to do auto-logins. In other words, anything of value they might have had I could have grabbed were I that way inclined.

What can they do to resolve this situation?

There is no such thing as perfect security, and the more people who have access to information then the more likely it is that security is going to compromised. Wireless communications exacerbate that problem as you’re ‘casting security-related information to a large number of people. Given stories about groups having figured out how to take down the most secure wireless security protocols in as little as fifteen minutes then this brings things into focus.

The fundamental limitation is the Nintendo DS which only supports WEP as opposed to WPA/2. But that can still be alleviated by configuring the router to do MAC filtering so that only authorised devices can connect. Plus, the router simply should not be broadcasting its SSID – the only time you turn on broadcast is if you have a new device which you need to connect via the router.

None of that is perfect, but at the moment they are leaving the car keys in the car. Were I a malicious individual then I could bar all their devices from connecting to the net.

You wouldn’t leave the door of your house lying open, but people do it far too often with their net connections…


Homelessness. 21st Century Style

October 12, 2009

Please allow me to introduce myself, I’m a man severely lacking in wealth and somewhat curious tastes. And after mangling the Rolling Stones let’s begin anew…

As of Wednesday 14th October 2009 I will finish the process of joining the ranks of the homeless in the City of Edinburgh. As if being jobless wasn’t enough, I’m losing my home after my tenancy was ended unexpectedly.

My tenancy was what’s known as a Short Assured Tenancy. What this means is that after the first six months of your tenancy then the landlord can terminate the tenancy for no reason whatsoever provided they give you two months notice to quit the property. That’s what happened to me at the end of July of this year.

For reference, the principle other type of tenancy is an Assured Tenancy. This means you can only be evicted under specific circumstances. Don’t completely trash the place or be a massively anti-social menace of a neighbour and the property is yours for life. Strangely enough, most private landlords who purchased their properties under a Buy to Let mortgage aren’t overly keen on such arrangements so it’s mainly local Councils and Housing Associations who lease out properties under these arrangements.

So, now you’re thinking that maybe I should have tried leasing another place, right? Did you miss the part where I mentioned I was jobless? If you’re unemployed then you can get what’s called Housing Benefit to cover your (reasonable) rent. The idea being, here in one of the Soviet Socialist States of Europe (also potentially known as Eurofag-land if you happen to be of the American persuasion), that having hordes of homeless people wandering around is A Very Bad Thing.

Now, those in Council properties or Housing Association properties will only get sufficient money paid so as to cover the rent – which is typically much lower than a private rental – but those in private rented accomodation will get Local Housing Allowance. This is calculated and how much you receive is based upon typical rents in your area based upon what is considered to be your reasonable need with regards to your housing requirements. As a single male, I wouldn’t receive payment sufficient to cover a two bedroom flat as a one bedroom or studio flat is considered reasonable.

When originally introduced, Local Housing Allowance was piloted in several areas of which Edinburgh was one of the areas in which it was trialled, you were permitted to retain the full amount deemed appropriate based upon your requirements regardless of your rent. So if it was deemed appropriate that you receive the one bedroom rate (for Edinburgh at least) of approximately £114 per week, or £495 per month, yet your rent was £350 per month then you got to pocket the difference.

The thinking behind this was two-fold. Firstly, there is a massive shortage of Council and Housing Association (social housing) properties with waiting lists running into many years. By introducing this scheme the hope was that it would encourage people to move out of social housing into privately rented accommodation and thereby free up social housing owing to the Government being too miserly to actually build any new such housing.

After all, going from only getting enough in benefits to cover your rent to gaining an extra hundred pounds a month in benefits should be a pretty good incentive, shouldn’t it?

Turns out, it’s not. Not unreasonably, people are reticent to give up the security offered by an Assured Tenancy for a Short Assured Tenancy even if it would allow them to move to a better area, particularly if their personal employment situation can be somewhat variable. A situation compounded by a lack of willingness to ensure people were properly informed of the options – the Government were probably terrified of the Daily Mail crowd finding out and screaming blue bloody murder over rewarding malingerers and scroungers.

The second bit of thinking was that allowing people to retain the difference between their rent and the Local Housing Allowance was to encourage people to move into cheaper properties that may become available if they happen to already be in private accommodation. Not unexpectedly, this didn’t happen – who is going to move out of their home if they don’t have to?

There is also though a bar to moving home if you’re unemployed, which you realistically will be if claiming Housing Benefit, and that is that private landlords do not like to lease to benefit recipients despite the fact they’re essentially guaranteed they are going to receive the rent money because the Government is paying.

For this reason, the local council will pay your Housing Benefit directly into your bank account so that a landlord will never know that you’re in receipt of it and it is also illegal to refuse to let to someone simply because they are in receipt of benefit.

However, they can easily get around this by asking for an employer’s reference, plus how do you pay the deposit if you have insufficient savings such that you’re in receipt of a means-tested benefit (as an aside, City of Edinburgh Council has been partnering with some letting agents to provide deposit-free homes for those who can’t afford them and satisfy the legal definition of homeless such that the Council provides the surety. Unfortunately, there aren’t that many properties available). When you can’t produce that then they know you’re unemployed and unfortunately they let the property to someone else.

So, what started as a great idea didn’t work out as planned for a variety of reasons. Following the pilot, the scheme was amended so that you could only keep up to an extra £15 per week over and above your weekly rent and there is talk of the Government removing even that.

So, I’m in the position where I can’t get another home because I don’t have a job and there is no Council or Housing Association property available. Even though I’m a high priority case, it could take another six (or more) months to get social housing.

You’re now (or maybe) asking yourself, “Well, why don’t you get a job?”.

Have you not been paying attention for the past year? There are jobs available but the realities of the Masters of the Universe letting their pyschotic egos trash the global economy in pursuit of yet another Gulfstream G5 and multi-million acre mansion, along with them convincing most of the populace to live well beyond their means in an attempt to get those pretty little trinkets, means that it’s not exactly an easy thing to do.

I have a bigger problem though, I’m a hardcore alcoholic. And I’m a hardcore alcoholic who is waiting on a phone call for as soon as a place becomes available for in-patient detox treatment followed by a month of out-patient treatment where I’d have to attend the local psychiatric hospital every day for a month. Would you employ me? Further, I may well have underlying mental health problems such as clinical depression though a formal diagnosis can not be made until I’m alcohol-free.

The inevitable consequence of all of this is my soon-to-be lacking of a home to call my own. Which is where this blog comes in.

As I came closer to the date upon which I have to go the Housing Options Team and arrange emergency accommodation in either a hostel or a Bed & Breakfast, I started thinking. I’m an IT geek need a net connection in a way that many do not – if I don’t have a net connection then it becomes comparable to an itch that won’t go away.

Further, how am I supposed to keep in touch with people, look for a home, apply for jobs, stay informed as to what is going on in the world and my chosen sphere of (sometime) employment etc. without a net connection? Ever since the net began to take off we have come to lead an increasing amount of our lives online to the point where it has become an integral component of living.

We now no longer go the library or consult the Yellow Pages or remember simple facts, we use wikipedia or we google it – and that is one of the indicators of just how significant the impact has been, we turned a trademarked brand name for a search engine into a verb in just a few years. We offloaded our knowledge whilst simultaneously granting ourselves access to more knowledge than anyone in history has had access to.

For those who still haven’t been jacked into the grid or meshed in the cloud then it can be difficult to comprehend just how much an essential part of our lives it has become. We can’t function without it, and if you don’t have access then you are effectively denied access to the modern world. But how do you get online and be part of the world when you are homeless and have no where to live and therefore no permanent net connection?

Again, this is where technological progress has offered an unexpected solution to a problem it wasn’t even being applied to.

A wireless communications standard developed by the IEEE called 802.11 and the resultant rise of free Wi-Fi.

People hate the clutter of wires and some people need to be available anywhere. The result was the development of a wireless communications standard to deal with the former and a subsequent explosion in businesses and municipalities offering the former in order to drum up business from those who need the latter or wish to telecommute. Now you no longer need to go into the office to work and nor do you need to sit at home. You can go to a coffee shop or a pub – or even McDonalds! – and do what you need to do. It’s reached the point where I have witnessed the express commuter bus service between Edinburgh and Dunfermline advertising that it has free Wi-Fi. It’s ubiquitous.

But this has an unlikely spin-off for those who are homeless. It means that, provided you have access to a netbook or a laptop, then you can still perform most of the high-level functions that are associated with modern living wherever we go rather than the previous situation where you may have spiralled into an ever worsening situation of isolation from society and that you can still potentially contribute despite the lack of somewhere to call home. It even raises the question of whether the model of a fixed home with a nuclear family and two cars is even sensible anymore. If you can function in the world regardless of whether you have a fixed base then is that fixed base a sane and rational choice?

This shouldn’t be surprising in retrospect. We saw a similar unintended spin-off through the rapid advancement mobile phones made within our society. With phones getting ever cheaper and people replacing them at almost the same rate we might change our underwear then the phones we discarded had to go somewhere. They did. Sub-Saharan Africa.

Always having had significantly underdeveloped infrastructure, high development and implementation costs for infrastructure, underdeveloped economies, rampant corruption and massive distances to cover (these are not individual problems but rather interlinked ones) it was the case that communications technology was severely lacking.

The first world’s penchant for tossing its cellphones has made significant improvements in that. Now, an isolated village just needs a cheap cell tower, a generator and a relatively cheap satellite link or one cable link and, coupled with cheap second-hand cellphones, and areas now areas which never previously had a communications infrastructure have one and this may well be contributing to the improvements in the overall situation in sub-Saharan Africa. As an unintended consequence of the communications revolution in the ‘developed’ world, this region has effectively skipped at least one developmental step.

Therefore knowing how important it was that I still be able to communicate electronically I made a decision. I bought a netbook.

Being made homeless didn’t truly terrify me though it may have left me deeply upset, being disconnected did. Having put some thought into it though, I knew I could always be connected.

It’s a reasonable spec as well. It’s a Lenovo Ideapad S10e with 1.6GHz Atom processor with 2GB of RAM and a 160GB hard drive. I went with the Linux option (it’s running SUSE 10, although I might modify the partitioning and shove Win 7 on it to see how it performs given I’ve run Win 7 acceptable enough on an E4400 Vista box with 2GB using VirtualBox assigning the VM 768MB) as that gave me a gig of memory more than you would typically get whilst also costing noticeably less than the XP based models. Rather an indictment of the cost of the Windows tax given that this is probably a better spec balance than most…

I realise most people would have hoarded what little money they had, but I could afford it and the opportunity cost of being able to be connected strikes me as outweighing the cost of the netbook.

The form factor for the keyboard takes some getting used to and I use an external mouse rather than the touchpad but then I have never particularly liked touchpads or ‘nipples’. I need to get around to tethering my phone to it but I need to work out whether it’s worth the cost of amending my phone contract…what

As for this blog, its function is to allow me to express my thoughts (yes, I appreciate that is somewhat redundant when it comes to the purpose of blogging) but also to explore the issues of homelessness in the modern world and to allow anyone who wishes the means to keep up with what is happening in my life. It also provides a purpose to myself for the times when I either can’t function or need to feel like a human being.

Just as a final thought, people believed the future would consist of flying cars and domestic robots and food pills and trips to the moon. They were wrong. The future really offered us more and more varied ways of communicating and connecting with one another. It allowed us to become closer to one another – the hypothecated global village if you will.

The future happened. We’re living in it.